Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Kaspersky in my Registry - and more


  • Please log in to reply
11 replies to this topic

#1 faster

faster

  • Members
  • 108 posts
  • OFFLINE
  •  
  • Local time:08:35 PM

Posted 28 June 2017 - 05:20 PM

This is a very complex problem. I'm hoping to find an expert detective.

 

I have W7, and never used Kaspersky, but my registry contains a folder called Kaspersky.

I can't get rid of it. So that tells me it is illegitimate on my PC. Especially now, in light of the fact that Kaspersky is now under suspicion as a participant in Russian hacking. I learned of its existence from a good scanner, Wise Care 365. It only cleans registry stuff that is obvious junk. It tells me the Kaspersky is an empty key, so I delete it, but it comes right back. I can get to the Kaspersky folder through Wise, by right-clicking to show the registry item it found. Once I'm looking at the folder Wise helped me find, I try to delete it and am refused. I am the administrator.

 

What can I do about it? I want it gone.

 

Something is REALLY wrong here.

I did a RegEdit search. Couldn't get to that folder. because there are also 3 Kaspersky references in a folder called DriverStore. I tried to check out klif.inf, but in both places where it appeared in the registry, it could not be found in a search. (I use "Everything" for searches, because W7's search engine is putrid.)

While I was searching the registry, Zone Alarm popped up that Registry Editor was trying to load a driver. I couldn't read its name - too small, and couldn't copy it. But I went to ZA to tell me more, and it said programs rarely, if ever, need to load a driver, and suggested that my Registry editor might be corrupted. I scan often for malware, and my registry has never cropped up.

I've cut-pasted that ZA comment here:

"Registry Editor may be malicious. It may be attempting to affect other programs or the security of the system. Programs do not normally need to load a driver."

 

When I tried to delete the Kaspersky folder accessed through Wise, I got the same persistent popup, as well as being refused on delete. So I couldn't search any further. There might be more Kaspersky stuff in my registry.

 

Do you think I should try to delete those 3 drivers in the registry? Haven't tried, but bet I'd be refused. Is there a way to find out what kind of drivers they are? What they DO? And which hardware they are used by? There's always a hardware associated with a driver.

Though I kept clicking deny and to remember the denial, ZA kept popping up the same thing. Now I'm even more suspicious, but with RegEdit, too.

Now i think I know why. Without permitting the driver, I could not continue the scan for Kaspersky.

I searched for my registry. It showed this path: C:\Windows\System32\Tasks\Microsoft\Windows\Registry but there was no registry there. Just a 4KB file, "RegidleBackup."

 

I checked the properties of RegEdit. Its compatibility is for Windows Server 2008 (Service pack 1),

I DO NOT, and never have, used a WIndows Server OS. But I can't change the compatibility for this, and I can't change the settings - they're faded out.

 

I'm scared of making changes to my registry, even using System Restore, which I've never used. Once I used CCleaner, and it erased ALL of my 40 videos. I now have 3 times as many videos.

 

It seems clear my system has been "handled." Okay, if you're confused, so am I. But I'm no geek. CAN you help me?
 

I've been advised in the past to use some powerful software to clean my system for other problems. It's a complicated procedure, and I fear using them. CCleaner was one of those, which I wouldn't touch, ever again.

 

If I could save my videos, I might try. But RW CDROMs aren't big enough.

 

I want to know what was done to my system, how this happened, and why. Preferably also by WHOM. My system runs VERY slowly, and I'd bet this is part of the reason. Seems none of the antivirus, nor ZA, works very well. They can't stop much and can't fix anything, even tho I keep them up to date and scan often. Malware outsmarts them all.

 

Thanks very much.



BC AdBot (Login to Remove)

 


#2 Jaycan

Jaycan

  • Members
  • 461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:35 PM

Posted 28 June 2017 - 06:22 PM

Try  Kaspersky AV > InfoTool (Note: Removal of all versions of Kaspersky AV) from Ultimate List of Uninstallers - SingularLabs may be the tool you may need.

First check Programs and Features to see if Kaspersky is listed anywhere and start by deleting it from there. Sounds like an old install that was never fully removed.

 

Please read the Information section and run the Tool after that.

 

Options include a visit to Kaspersky forum for their removal tool and specific advice, then my only other option would be to install Revo Uninstaller from Piriform or File Hippo.

 

Is Zone Alarm your usual Antivirus and Firewall, or are you not sure ?



Acer Computer with LG Monitor and Toshiba Laptop with Windows 7.1

Windows 64bit  8.1 - Always fully updated

Firefox / Google Chrome / Internet Explorer Browsers

Usually a home helper here or with friends and nimble fingered ladies who would rather sew or dust, but not clean the bugs out of a computer ...


#3 faster

faster
  • Topic Starter

  • Members
  • 108 posts
  • OFFLINE
  •  
  • Local time:08:35 PM

Posted 29 June 2017 - 04:35 PM

I sent you a reply, but I guess it didn't take.

 

To use the Kaspersky tool, I have to provide my license number. Since I've never used a Kaspersky product, obviously I couldn't do that.

 

I downloaded Revo Uninstaller, but the programs it works on aren't my problem ones.

 

Yes, Zone Alarm is my firewall, but is not my antivirus (even though it keeps downloading data for its antivirus).

 

The best antivirus I've found is Clamwin. Where AVG, Avast, Malwarebytes, and Spybot S&D find nothing (Malwarebytes does find some PUPs), Clamwin has found over 50 infections, all in one scan, after I'd tried all the others.

 

But even Clamwin doesn't find the ones that really hurt.

 

I suspect some of my many problems are due to hacks, that somehow are able to get past Zone Alarm's firewall.

 

Security software today is really kind of putrid. Those who use malware and hacks are miles ahead of any of them.

 

For example, what is being done in the field of security to stop click-jackers? I can block them, but who's trying to keep them from putting click jacks on things like youtube videos - and a lot more?

 

It seems that crime really DOES pay.

 

Can you think of ANYTHING else that might keep Kaspersky from spying on me?  (Which is probably why its registry stuff can't be deleted, even by the administrator.)



#4 Jaycan

Jaycan

  • Members
  • 461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:35 PM

Posted 29 June 2017 - 10:49 PM

I sent you a reply, but I guess it didn't take.

There is nothing in my PM's and we do not work off the forum so others can see if we are helping or not. You post a P.M just like a post here, with a Title then fill in the Reply box.

A P.M is sent by clicking on my Black Cat Icon and finding "Send Message", but I will often quote it back on the forum to help others.

To use the Kaspersky tool, I have to provide my license number. Since I've never used a Kaspersky product, obviously I couldn't do that.

You may need to Uninstall or at least Disable, all Antivirus programs and in many cases only use Safe Mode with Networking. See at the top of Windows7 area here.

 

You are quoting too many programs,  as with all Antivirus programs, there should only be one installed at any time. This could also be another problem.

You or another person may have installed another Antivirus without fully removing all previously installed Antivirus programs.

 

If you download CCleaner just run it as it downloads, never play with the settings unless instructed.

 

Below is the current solution from Kaspersky's Forum to remove all of these programs without playing in the registry even if you think you know it can cause problems.

A possible guide to use if things have gone bad with regards to uninstalling another AV:

1. Install JV Powertools or Powertools lite (Freeware).
2. Uninstall Kaspersky if it's installed and reboot.
3. Run the removaltool for the AV in question downloaded from link above.
4. Install the trial of JV Powertools, run it ..... click registry tools and select "Registry cleaner", when finished scanning you go to the topmenu and choose "Select > All", then you click "Fix" at the bottom, it will ask you if you wish to make a backup and you do, just to be safe. You can also try the "Clean & fix my computer" in JV Powertools.

 

5. Do not Reinstall Kaspersky as this seems to be your problem.

 

6. Now reinstall or re-enable only the One Antivirus program that you want and update it.

 

You are welcome to post back here as there may be others that have better advice than I do.



Acer Computer with LG Monitor and Toshiba Laptop with Windows 7.1

Windows 64bit  8.1 - Always fully updated

Firefox / Google Chrome / Internet Explorer Browsers

Usually a home helper here or with friends and nimble fingered ladies who would rather sew or dust, but not clean the bugs out of a computer ...


#5 Jaycan

Jaycan

  • Members
  • 461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:35 PM

Posted 29 June 2017 - 11:07 PM

If you wish to look further Click Start > Then type Regedit in the box above the Start > Click on the result and agree (Yes) > Go to HKeyLocal Machine (HKLM) > Then Software.

 

In that Dropdown area you should see all installed security programs, and a lot of others that you should NEVER TOUCH.

 

Look for all old security programs and (like I have just done) Right Click and select Delete for what you do not want.

 

Hope this is also good for you.

 

EDIT : I will be in and around here for about the next 2 hours, so feel free to post back.


Edited by Jaycan, 29 June 2017 - 11:14 PM.


Acer Computer with LG Monitor and Toshiba Laptop with Windows 7.1

Windows 64bit  8.1 - Always fully updated

Firefox / Google Chrome / Internet Explorer Browsers

Usually a home helper here or with friends and nimble fingered ladies who would rather sew or dust, but not clean the bugs out of a computer ...


#6 faster

faster
  • Topic Starter

  • Members
  • 108 posts
  • OFFLINE
  •  
  • Local time:08:35 PM

Posted 30 June 2017 - 10:39 AM

I've downloaded the jv16 Power Tools, and will get back to you if it helps.

 

I don't have more than one antivirus working at a time. The one active when I'm online is Clamwin. But I don't want to lose Spybot, which finds things a normal antivirus doesn't even look for. Malwarebytes has come in handy, but not for anything really serious. I could uninstall that one. I don't think my ZA is applying virus protection. I leave that inactive.

 

I'd like to ask a slightly unrelated question. On a desktop there is always a black background that the cursor cannot go into. Can you tell me where the color for that black background is?  The reason I ask is that something got into my system that turns that black background bright blue, and throws a pale blue "veil" over my whole desktop. It dulls the colors. It comes and goes, but is usually on. It makes everything I do, especially watching videos, unpleasant. I don't think it's a security threat, or causing any other harm, but the harm it does cause is spoiling most of the enjoyable things I do with my PC, including games.

 

is it possible this blue veil has embedded itself in the machine language of my PC? If I could find a file or registry entry that controls it, it would be great. I have another veil - a green one, but it only affects certain games. So it probably lurks in a palette or a registry entry.

 

Could I beg you for some guidance on that?



#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,047 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:35 PM

Posted 30 June 2017 - 01:33 PM

...I have W7, and never used Kaspersky, but my registry contains a folder called Kaspersky.
I can't get rid of it. So that tells me it is illegitimate on my PC. Especially now, in light of the fact that Kaspersky is now under suspicion as a participant in Russian hacking. I learned of its existence from a good scanner, Wise Care 365....

There are numerous programs which purport to improve system performance, make repairs and tune up a computer. Many of them include such features as a registry cleaner, registry optimizer, disk optimizer, etc. Some of these programs even incorporate optimization and registry cleaning features alongside anti-malware capabilities. These registry cleaners and optimizers claim to speed up your computer by finding and removing orphaned and corrupt registry entries that are responsible for slowing down system performance. There is no statistical evidence to back such claims. Advertisements to do so are borderline scams intended to goad users into using an unnecessary and potential dangerous product. I would not trust any results such programs detect as problematic or needing repair nor recommend using the options to fix them.

It is not uncommon for registry cleaners to find thousands of "so-called issues" with registry keys so I wouldn't be concerned about those kind of findings since most of them are not actually harmful to a computer system. Keep in mind that some Tech support folks and scammers will use such findings to scare customers into thinking their computer is infected or has real problems when that is not the case. This is a common tactic scamers use in order to goad people into paying for unnecessary computer repairs so they can make money.
 

Bleeping Computer DOES NOT recommend the use of registry cleaners/optimizers for several reasons.

Why you should not use Registry Cleaners and Optimization Tools


As for Kaspersky being investigated, I have read that some folks in the security industry believe that is being done purely for political reasons between the two countries.

With that said, the presence of Kaspersky related items could be legitimate. Kaspersky does make specialized fix tools (Virus-fighting utilities) some of which could add entries to the registry if used. Kaspersky also offered a free online virus scan several years ago which folks could use to get a second opinion.

Further, some anti-virus and security vendors combine third party anti-virus engines with their own technology....Checkpoint (ZoneAlarm) use Kaspersky.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 Jaycan

Jaycan

  • Members
  • 461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:35 PM

Posted 30 June 2017 - 07:33 PM

I've downloaded the jv16 Power Tools, and will get back to you if it helps.

 

I don't have more than one antivirus working at a time. The one active when I'm online is Clamwin. But I don't want to lose Spybot, which finds things a normal antivirus doesn't even look for. Malwarebytes has come in handy, but not for anything really serious. I could uninstall that one. I don't think my ZA is applying virus protection. I leave that inactive.

 

I'd like to ask a slightly unrelated question. On a desktop there is always a black background that the cursor cannot go into. Can you tell me where the color for that black background is?  The reason I ask is that something got into my system that turns that black background bright blue, and throws a pale blue "veil" over my whole desktop. It dulls the colors. It comes and goes, but is usually on. It makes everything I do, especially watching videos, unpleasant. I don't think it's a security threat, or causing any other harm, but the harm it does cause is spoiling most of the enjoyable things I do with my PC, including games.

 

is it possible this blue veil has embedded itself in the machine language of my PC? If I could find a file or registry entry that controls it, it would be great. I have another veil - a green one, but it only affects certain games. So it probably lurks in a palette or a registry entry.

 

Could I beg you for some guidance on that?

>> I've downloaded the jv16 Power Tools, and will get back to you if it helps << I have quoted your full post, and I will pick from there.

 

The only reason jv16 Power Tools is listed is due to it being a direct Copy and Paste from Kaspersky Forum as one of their preferred methods to uninstall.

DO NOT KEEP IT as quoted by quietman7 once you use it. Please try my Regedit post at post #5 now.

CCleaner from Piriform should be OK to use only as downloaded and first hit Analyse then if you are OK with the result then hit the Run Cleaner button

 

Manufacturers or retailers may add sample versions of Antivirus programs, mine was Norton (Symantec) 3 month trial. It took 3 months to remove it.

 

>> On a desktop there is always a black background that the cursor cannot go into. Can you tell me where the color for that black background is? << Try Control Panel > Display > Change Display Setting > Under Resolution > Move the slider up to the top where it should read Recommended > Apply > OK > Now try and set a fairly plain Screen Saver from the bottom of that area.

 

Keep us informed.



Acer Computer with LG Monitor and Toshiba Laptop with Windows 7.1

Windows 64bit  8.1 - Always fully updated

Firefox / Google Chrome / Internet Explorer Browsers

Usually a home helper here or with friends and nimble fingered ladies who would rather sew or dust, but not clean the bugs out of a computer ...


#9 Platypus

Platypus

  • Global Moderator
  • 15,746 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia
  • Local time:01:35 PM

Posted 30 June 2017 - 10:29 PM

In case the significance of what Quietman7 has posted slips by, faster, I really think you will be chasing a phantom.

Checkpoint (ZoneAlarm) use Kaspersky.


I don't think my ZA is applying virus protection. I leave that inactive.


If you have a Zone Alarm product such as Free AV + Firewall installed, it's entirely likely it will maintain references to the Kaspersky technology it is using, even if the real time AV is off. You would expect that if Kaspersky items being used by ZA are deleted, ZA's watchdog would notice and restore them. In other words, the behaviors you're noticing could be Zone Alarm protecting itself from you.

There's always a hardware associated with a driver.


No, Windows (or any Protected Mode Operating System) can and does have virtual devices which are a driver that behaves as a piece of hardware would, which can be a useful way to implement functions without involving any hardware. A common example would be a virtual DVD drive, which allows an ISO file of DVD contents to be mounted and used as if it is a DVD in a physical drive, without having a physical DVD or drive present.

I searched for my registry. It showed this path: C:\Windows\System32\Tasks\Microsoft\Windows\Registry but there was no registry there.


The Windows Registry is not a single file, it is mainly composed of several files called hives in \system32\config\, not where you looked.

I checked the properties of RegEdit. Its compatibility is for Windows Server 2008 (Service pack 1),
I DO NOT, and never have, used a WIndows Server OS. But I can't change the compatibility for this, and I can't change the settings - they're faded out.


That is completely normal. If you read at the top of the properties tab, it says "Compatibility modes cannot be set on this program because it is part of this version of Windows"

Because it cannot be done, the options are greyed out. Windows Server 2008 (Service Pack 1) is simply the first option that shows in the dropdown selection list for compatibility modes if it could be enabled.

something got into my system that turns that black background bright blue, and throws a pale blue "veil" over my whole desktop. It dulls the colors. It comes and goes, but is usually on.


The symptom is called a "cast" and is usually an indication of a hardware fault, either in the monitor, connecting cable or video card. A process of elimination (swapping and substitution) should be used to determine exactly where it's happening. Sometimes unplugging and reconnecting the video cable running to the monitor can wipe a tarnished contact and cure it.
Top 5 things that never get done:

1.

#10 Jaycan

Jaycan

  • Members
  • 461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:35 PM

Posted 01 July 2017 - 07:31 PM

Hi again,

If you did install the trial version of jv16Power Tools then all you needed to look at was Main Tools >> Uninstall software and leftovers then Delete the program.

Do not use any Speed up my computer or other areas.

 

It also seems that we missed the quote from quietman7 our expert on these programs so it is requoted below.

As for Kaspersky being investigated, I have read that some folks in the security industry believe that is being done purely for political reasons between the two countries.
With that said, the presence of Kaspersky related items could be legitimate. Kaspersky does make specialized fix tools (Virus-fighting utilities) some of which could add entries to the registry if used. Kaspersky also offered a free online virus scan several years ago which folks could use to get a second opinion.
Further, some anti-virus and security vendors combine third party anti-virus engines with their own technology....Checkpoint (ZoneAlarm) use Kaspersky.

Further Re your other problems as per Platypus please unplug and replug all sceen leads to check all are installed fully and correctly.

 

Next click the Start Orb and type CMD in the box and on the top item Right click and select Run as Administrator.

Now type sfc /scannow and then hit Enter. Make sure there is a space between sfc and / for the command to run correctly.

This will take quite some time to run as it checks all installed Windiws files usually in several stages.

Do not stop the operation of this program (unless you are issued with a warning) but let it run the full session that depends on your system.

Mine runs for about 30 minutes but I do it every 3 to 4 months as part of my routine checks.



Acer Computer with LG Monitor and Toshiba Laptop with Windows 7.1

Windows 64bit  8.1 - Always fully updated

Firefox / Google Chrome / Internet Explorer Browsers

Usually a home helper here or with friends and nimble fingered ladies who would rather sew or dust, but not clean the bugs out of a computer ...


#11 faster

faster
  • Topic Starter

  • Members
  • 108 posts
  • OFFLINE
  •  
  • Local time:08:35 PM

Posted 01 July 2017 - 09:51 PM

I think the explanation of Kaspersky being associated with ZA is probably adequate. Naturally, I tend to be suspicious of Kaspersky on the whole, but as a part of ZA, I have to accept it.

Thanks for the tip on sfc. Didn't know I even had it on my system.

The instructions to change the color scheme led me to a window where I have to click and drag the thing I want color-checked, but since the cursor can't go into that space, I can't do it. That's why I think the infection may be in the machine language.

The suggestion that the blue veil may be related to a device sounds reasonable. A friend said it might be my old surge protector. I bought a new one, but it didn't help (I needed a new one anyway), but now you've made me suspect my monitor. It is a VERY old huge one.

So I won't work on the blue veil thingy  until I get a new monitor.

I knew enough not to trust that thing I downloaded to increase bootup time. It found over 6,000 bad things! Maybe it IS that bad, but why don't antivirus programs find ANY of it?

So I assume there's more malware than antivirus programs can find, but there's also far less than 6000 bad things. So I did nothing after I saw the result of the scan. I let scandisk just automatically deal with a zillion files that had a problem a few years ago. BAD decision. Every single document and many program files got truncated. Thousands of them! I'm still renaming documents.

My gripe against CCleaner stands. This speed booster did the same thing. It found a lot of stuff and asked me to just "fix it all" with one click.

CCleaner did the same thing.

No way, Jose.

Once upon a time I had a great registry cleaner. It gave me a lot of information on each thing it found. So I could double check a lot. What program it is used by, and also put findings into 3 categories. Green, you can delete, with no risk, because it will come back if it's good. Yellow for caution in deleting, and Red for taking great care before deleting.

I never had a problem with that program, but it won't work on W7. Lots of good stuff had to go, mainly because W7 doesn't have any DOS. Each new OS takes more and more control out of the hands of the user. Which sucks big donkey...

There seems no way to find disk errors on W7. No scanner. My disk must be dripping with cross-references and other file and disk errors. Why no Scandisk?

There's no difference between shutting down properly and just turning off the electricity after Windows tone closes it. I'd never dare do that with my old W98SE.

We seem to pay more for newer and poorly written OSs. And we're FORCED to do it. I wish I could go back to W98SE.



#12 Jaycan

Jaycan

  • Members
  • 461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:35 PM

Posted 02 July 2017 - 03:04 AM

From your statements it sounds like you "played" with CCleaner and did not just run it "as downloaded". The same with JV Powertools.

 

Your instructions were simply as follows and nothing more.

If you did install the trial version of jv16Power Tools then all you needed to look at was Main Tools >> Uninstall software and leftovers then Delete the program.

Do not use any Speed up my computer or other areas.

Scandisk is by the use of DISKCHECK /R and SFC /SCANNOW only if you have been listening and following or a DiskCheck can be selected as per below.

 

A Diskcheck for an updated Windows7.1 NOT called Scandisk is by this method.

 

Click the Start Orb and on your Right should be listed Computer > Left Click on this and you will be presented with your Main Drives not Drivers

Right click on your main Hard Drive and you are presented with several options > You select Tools > From here you can select Backup, Defrag the Hard Drive, or Error Checking. << This is the DiskCheck.

Select Error Checking and Check Now. Then tick Both boxes that show and select Start.

You will be informed that the Disk is in use and at this point you Reboot the system.

 

A 5 stage DiskCheck will commence Only when your system Reboots, and be prepared for anything from 45minutes to 1.5 hours depending on your system.

 

DO NOT stop this process as it must run to completion, when it will reboot your computer back to normal mode.



Acer Computer with LG Monitor and Toshiba Laptop with Windows 7.1

Windows 64bit  8.1 - Always fully updated

Firefox / Google Chrome / Internet Explorer Browsers

Usually a home helper here or with friends and nimble fingered ladies who would rather sew or dust, but not clean the bugs out of a computer ...





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users